You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2013/02/10 11:40:17 UTC
Kerberos keys & passwords
Hi guys,
as I'm working on the Kerberos server, I have a few questions.
1) Currently, when the added entry has a userPassword AT and a
krb5PrincipalName AT (which means it has a krb5principal OC), we create
the kerberos Keys using the password.
The problem is that the userPassword is a multiValued AT, so we use the
first password in the list to generate the keys. This is not necessarily
a good idea, but I don't see how we can improve this.
At least, we should inform the user about this fact
2) Service keys : as we use the same mechanism, we generate keys based
on the userPassword. Of course, we have no way to know that the added
entry is for a service (except for hosts), so the userPassword must
exist (and its value must be randomKey so that we don't use an weak
password).
Woudln't it be better to generate the keys from a random password if the
userPassword AT is empty or absent ?
3) We definitively need to add a plugin in Studio to allow a user to
change its password, using the changePassword protocol (and a shell
script based tool to do so)
Thoughts ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Kerberos keys & passwords
Posted by Kiran Ayyagari <ka...@apache.org>.
On Sun, Feb 10, 2013 at 4:10 PM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Hi guys,
>
> as I'm working on the Kerberos server, I have a few questions.
>
> 1) Currently, when the added entry has a userPassword AT and a
> krb5PrincipalName AT (which means it has a krb5principal OC), we create
> the kerberos Keys using the password.
>
> The problem is that the userPassword is a multiValued AT, so we use the
> first password in the list to generate the keys. This is not necessarily
> a good idea, but I don't see how we can improve this.
>
> I will repeat the same words said in the IM :)
'let us throw an error when Kerberos is enabled in the server and an entry
contains more than one password'
> At least, we should inform the user about this fact
>
> 2) Service keys : as we use the same mechanism, we generate keys based
> on the userPassword. Of course, we have no way to know that the added
> entry is for a service (except for hosts), so the userPassword must
> exist (and its value must be randomKey so that we don't use an weak
> password).
>
> Woudln't it be better to generate the keys from a random password if the
> userPassword AT is empty or absent ?
>
> yes, and we should generate keys only when such an entry contains
'krb5PrincipalName'
attribute
> 3) We definitively need to add a plugin in Studio to allow a user to
> change its password, using the changePassword protocol (and a shell
> script based tool to do so)
>
> +1
> Thoughts ?
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Kerberos keys & passwords
Posted by Emmanuel Lecharny <el...@apache.org>.
Le 10 févr. 2013 20:28, "Howard Chu" <hy...@symas.com> a écrit :
> Emmanuel Lécharny wrote:
>
>> Hi guys,
>>
>> as I'm working on the Kerberos server, I have a few questions.
>>
>> 1) Currently, when the added entry has a userPassword AT and a
>> krb5PrincipalName AT (which means it has a krb5principal OC), we create
>> the kerberos Keys using the password.
>>
>> The problem is that the userPassword is a multiValued AT, so we use the
>> first password in the list to generate the keys. This is not necessarily
>> a good idea, but I don't see how we can improve this.
>>
>
> In OpenLDAP the multiple userPassword values are just different hashes of
> the same plaintext. Does that approach work here?
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/**project/<http://www.openldap.org/project/>
>
Re: Kerberos keys & passwords
Posted by Emmanuel Lecharny <el...@apache.org>.
Le 10 févr. 2013 20:28, "Howard Chu" <hy...@symas.com> a écrit :
> In OpenLDAP the multiple userPassword values are just different hashes of
the same plaintext. Does that approach work here ?
Well, if the values are all representing the same password, then we don't
have any problem. The question is much more about a user storing more than
one password. This is not explicitely forbidden, and we migth want to allow
that.
But we can also decide that we should only keep one single password (and
many values).
Re: Kerberos keys & passwords
Posted by Howard Chu <hy...@symas.com>.
Emmanuel Lécharny wrote:
> Hi guys,
>
> as I'm working on the Kerberos server, I have a few questions.
>
> 1) Currently, when the added entry has a userPassword AT and a
> krb5PrincipalName AT (which means it has a krb5principal OC), we create
> the kerberos Keys using the password.
>
> The problem is that the userPassword is a multiValued AT, so we use the
> first password in the list to generate the keys. This is not necessarily
> a good idea, but I don't see how we can improve this.
In OpenLDAP the multiple userPassword values are just different hashes of the
same plaintext. Does that approach work here?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/